apparmor-parse cannot parse profile with stacking //&
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apparmor (Ubuntu) |
Confirmed
|
Undecided
|
John Johansen | ||
Bug Description
I am experimenting with the new profile stacking feature of AppArmor on Ubuntu 16.10.
However, when trying the load a profile with stacking ("//&" ), the apparmor-parser will report the following erros:
AppArmor parser error for /etc/apparmor.
The system is Ubuntu 16.10 Server edition. I am trying to confine a test program at /root/test/shell. The profile looks like the following:
#include <tunables/global>
/root/test/shell {
#include <abstractions/base>
/bin/touch ix,
/root/test/read px -> readtest1 //& readtest2,
/root/test/shell mr,
profile readtest1 {
#include <abstractions/base>
/root/
/root/test/read mr,
}
profile readtest2 {
#include <abstractions/base>
/root/
/root/test/read mr,
}
}
If the stacking works, when the /root/test/shell execs /root/test/read, it should not be able to read either file1 or file2.
I am not sure if I am using the stacking in the wrong way, or there is a bug in userspace support for stacking.
| John Johansen (jjohansen) wrote | #1 |
| Yuqiong Sun (yus138) wrote | #2 |
| John Johansen (jjohansen) wrote | #3 |
| Changed in apparmor (Ubuntu): | |
| status: | New → Confirmed |
| assignee: | nobody → John Johansen (jjohansen) |
Yuqiong Sun,
the parser is sensitive to white space. If your profile has white space in the name you will need to use quotes around it
/root/test/read px -> "readtest1 //& readtest2",
otherwise you will need to remove the white space and specify it as
/root/test/read px -> readtest1/
ideally the parser would properly handle white space in this situation and properly parse this but at the moment it doesn't. If this fixes your problem I will mark this bug as a wish list feature. If not please let us know so we can further debug the problem.